1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2013 Politecnico di Torino, Italy
4 * TORSEC group -- https://security.polito.it
6 * Author: Roberto Sassu <roberto.sassu@polito.it>
8 * File: ima_template_lib.c
9 * Library of supported template fields.
12 #include "ima_template_lib.h"
13 #include <linux/xattr.h>
14 #include <linux/evm.h>
16 static bool ima_template_hash_algo_allowed(u8 algo)
18 if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
26 DATA_FMT_DIGEST_WITH_ALGO,
32 static int ima_write_template_field_data(const void *data, const u32 datalen,
33 enum data_formats datafmt,
34 struct ima_field_data *field_data)
39 if (datafmt == DATA_FMT_STRING)
42 buf = kzalloc(buflen, GFP_KERNEL);
46 memcpy(buf, data, datalen);
49 * Replace all space characters with underscore for event names and
50 * strings. This avoid that, during the parsing of a measurements list,
51 * filenames with spaces or that end with the suffix ' (deleted)' are
52 * split into multiple template fields (the space is the delimitator
53 * character for measurements lists in ASCII format).
55 if (datafmt == DATA_FMT_STRING) {
56 for (buf_ptr = buf; buf_ptr - buf < datalen; buf_ptr++)
61 field_data->data = buf;
62 field_data->len = buflen;
66 static void ima_show_template_data_ascii(struct seq_file *m,
67 enum ima_show_type show,
68 enum data_formats datafmt,
69 struct ima_field_data *field_data)
71 u8 *buf_ptr = field_data->data;
72 u32 buflen = field_data->len;
75 case DATA_FMT_DIGEST_WITH_ALGO:
76 buf_ptr = strnchr(field_data->data, buflen, ':');
77 if (buf_ptr != field_data->data)
78 seq_printf(m, "%s", field_data->data);
80 /* skip ':' and '\0' */
82 buflen -= buf_ptr - field_data->data;
88 ima_print_digest(m, buf_ptr, buflen);
91 seq_printf(m, "%s", buf_ptr);
94 switch (field_data->len) {
96 seq_printf(m, "%u", *(u8 *)buf_ptr);
99 if (ima_canonical_fmt)
101 le16_to_cpu(*(__le16 *)buf_ptr));
103 seq_printf(m, "%u", *(u16 *)buf_ptr);
106 if (ima_canonical_fmt)
108 le32_to_cpu(*(__le32 *)buf_ptr));
110 seq_printf(m, "%u", *(u32 *)buf_ptr);
113 if (ima_canonical_fmt)
114 seq_printf(m, "%llu",
115 le64_to_cpu(*(__le64 *)buf_ptr));
117 seq_printf(m, "%llu", *(u64 *)buf_ptr);
128 static void ima_show_template_data_binary(struct seq_file *m,
129 enum ima_show_type show,
130 enum data_formats datafmt,
131 struct ima_field_data *field_data)
133 u32 len = (show == IMA_SHOW_BINARY_OLD_STRING_FMT) ?
134 strlen(field_data->data) : field_data->len;
136 if (show != IMA_SHOW_BINARY_NO_FIELD_LEN) {
137 u32 field_len = !ima_canonical_fmt ?
138 len : (__force u32)cpu_to_le32(len);
140 ima_putc(m, &field_len, sizeof(field_len));
146 ima_putc(m, field_data->data, len);
149 static void ima_show_template_field_data(struct seq_file *m,
150 enum ima_show_type show,
151 enum data_formats datafmt,
152 struct ima_field_data *field_data)
156 ima_show_template_data_ascii(m, show, datafmt, field_data);
158 case IMA_SHOW_BINARY:
159 case IMA_SHOW_BINARY_NO_FIELD_LEN:
160 case IMA_SHOW_BINARY_OLD_STRING_FMT:
161 ima_show_template_data_binary(m, show, datafmt, field_data);
168 void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
169 struct ima_field_data *field_data)
171 ima_show_template_field_data(m, show, DATA_FMT_DIGEST, field_data);
174 void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
175 struct ima_field_data *field_data)
177 ima_show_template_field_data(m, show, DATA_FMT_DIGEST_WITH_ALGO,
181 void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
182 struct ima_field_data *field_data)
184 ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data);
187 void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
188 struct ima_field_data *field_data)
190 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
193 void ima_show_template_buf(struct seq_file *m, enum ima_show_type show,
194 struct ima_field_data *field_data)
196 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
199 void ima_show_template_uint(struct seq_file *m, enum ima_show_type show,
200 struct ima_field_data *field_data)
202 ima_show_template_field_data(m, show, DATA_FMT_UINT, field_data);
206 * ima_parse_buf() - Parses lengths and data from an input buffer
207 * @bufstartp: Buffer start address.
208 * @bufendp: Buffer end address.
209 * @bufcurp: Pointer to remaining (non-parsed) data.
210 * @maxfields: Length of fields array.
211 * @fields: Array containing lengths and pointers of parsed data.
212 * @curfields: Number of array items containing parsed data.
213 * @len_mask: Bitmap (if bit is set, data length should not be parsed).
214 * @enforce_mask: Check if curfields == maxfields and/or bufcurp == bufendp.
215 * @bufname: String identifier of the input buffer.
217 * Return: 0 on success, -EINVAL on error.
219 int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp,
220 int maxfields, struct ima_field_data *fields, int *curfields,
221 unsigned long *len_mask, int enforce_mask, char *bufname)
223 void *bufp = bufstartp;
226 for (i = 0; i < maxfields; i++) {
227 if (len_mask == NULL || !test_bit(i, len_mask)) {
228 if (bufp > (bufendp - sizeof(u32)))
231 if (ima_canonical_fmt)
232 fields[i].len = le32_to_cpu(*(__le32 *)bufp);
234 fields[i].len = *(u32 *)bufp;
239 if (bufp > (bufendp - fields[i].len))
242 fields[i].data = bufp;
243 bufp += fields[i].len;
246 if ((enforce_mask & ENFORCE_FIELDS) && i != maxfields) {
247 pr_err("%s: nr of fields mismatch: expected: %d, current: %d\n",
248 bufname, maxfields, i);
252 if ((enforce_mask & ENFORCE_BUFEND) && bufp != bufendp) {
253 pr_err("%s: buf end mismatch: expected: %p, current: %p\n",
254 bufname, bufendp, bufp);
267 static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
269 struct ima_field_data *field_data)
273 * - DATA_FMT_DIGEST: digest
274 * - DATA_FMT_DIGEST_WITH_ALGO: [<hash algo>] + ':' + '\0' + digest,
275 * where <hash algo> is provided if the hash algoritm is not
278 u8 buffer[CRYPTO_MAX_ALG_NAME + 2 + IMA_MAX_DIGEST_SIZE] = { 0 };
279 enum data_formats fmt = DATA_FMT_DIGEST;
282 if (hash_algo < HASH_ALGO__LAST) {
283 fmt = DATA_FMT_DIGEST_WITH_ALGO;
284 offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1, "%s",
285 hash_algo_name[hash_algo]);
286 buffer[offset] = ':';
291 memcpy(buffer + offset, digest, digestsize);
294 * If digest is NULL, the event being recorded is a violation.
295 * Make room for the digest by increasing the offset of
298 offset += IMA_DIGEST_SIZE;
300 return ima_write_template_field_data(buffer, offset + digestsize,
305 * This function writes the digest of an event (with size limit).
307 int ima_eventdigest_init(struct ima_event_data *event_data,
308 struct ima_field_data *field_data)
311 struct ima_digest_data hdr;
312 char digest[IMA_MAX_DIGEST_SIZE];
314 u8 *cur_digest = NULL;
315 u32 cur_digestsize = 0;
319 memset(&hash, 0, sizeof(hash));
321 if (event_data->violation) /* recording a violation. */
324 if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) {
325 cur_digest = event_data->iint->ima_hash->digest;
326 cur_digestsize = event_data->iint->ima_hash->length;
330 if ((const char *)event_data->filename == boot_aggregate_name) {
332 hash.hdr.algo = HASH_ALGO_SHA1;
333 result = ima_calc_boot_aggregate(&hash.hdr);
335 /* algo can change depending on available PCR banks */
336 if (!result && hash.hdr.algo != HASH_ALGO_SHA1)
340 memset(&hash, 0, sizeof(hash));
343 cur_digest = hash.hdr.digest;
344 cur_digestsize = hash_digest_size[HASH_ALGO_SHA1];
348 if (!event_data->file) /* missing info to re-calculate the digest */
351 inode = file_inode(event_data->file);
352 hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
353 ima_hash_algo : HASH_ALGO_SHA1;
354 result = ima_calc_file_hash(event_data->file, &hash.hdr);
356 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
357 event_data->filename, "collect_data",
358 "failed", result, 0);
361 cur_digest = hash.hdr.digest;
362 cur_digestsize = hash.hdr.length;
364 return ima_eventdigest_init_common(cur_digest, cur_digestsize,
365 HASH_ALGO__LAST, field_data);
369 * This function writes the digest of an event (without size limit).
371 int ima_eventdigest_ng_init(struct ima_event_data *event_data,
372 struct ima_field_data *field_data)
374 u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
375 u32 cur_digestsize = 0;
377 if (event_data->violation) /* recording a violation. */
380 cur_digest = event_data->iint->ima_hash->digest;
381 cur_digestsize = event_data->iint->ima_hash->length;
383 hash_algo = event_data->iint->ima_hash->algo;
385 return ima_eventdigest_init_common(cur_digest, cur_digestsize,
386 hash_algo, field_data);
390 * This function writes the digest of the file which is expected to match the
391 * digest contained in the file's appended signature.
393 int ima_eventdigest_modsig_init(struct ima_event_data *event_data,
394 struct ima_field_data *field_data)
396 enum hash_algo hash_algo;
397 const u8 *cur_digest;
400 if (!event_data->modsig)
403 if (event_data->violation) {
404 /* Recording a violation. */
405 hash_algo = HASH_ALGO_SHA1;
411 rc = ima_get_modsig_digest(event_data->modsig, &hash_algo,
412 &cur_digest, &cur_digestsize);
415 else if (hash_algo == HASH_ALGO__LAST || cur_digestsize == 0)
416 /* There was some error collecting the digest. */
420 return ima_eventdigest_init_common(cur_digest, cur_digestsize,
421 hash_algo, field_data);
424 static int ima_eventname_init_common(struct ima_event_data *event_data,
425 struct ima_field_data *field_data,
428 const char *cur_filename = NULL;
429 u32 cur_filename_len = 0;
431 BUG_ON(event_data->filename == NULL && event_data->file == NULL);
433 if (event_data->filename) {
434 cur_filename = event_data->filename;
435 cur_filename_len = strlen(event_data->filename);
437 if (!size_limit || cur_filename_len <= IMA_EVENT_NAME_LEN_MAX)
441 if (event_data->file) {
442 cur_filename = event_data->file->f_path.dentry->d_name.name;
443 cur_filename_len = strlen(cur_filename);
446 * Truncate filename if the latter is too long and
447 * the file descriptor is not available.
449 cur_filename_len = IMA_EVENT_NAME_LEN_MAX;
451 return ima_write_template_field_data(cur_filename, cur_filename_len,
452 DATA_FMT_STRING, field_data);
456 * This function writes the name of an event (with size limit).
458 int ima_eventname_init(struct ima_event_data *event_data,
459 struct ima_field_data *field_data)
461 return ima_eventname_init_common(event_data, field_data, true);
465 * This function writes the name of an event (without size limit).
467 int ima_eventname_ng_init(struct ima_event_data *event_data,
468 struct ima_field_data *field_data)
470 return ima_eventname_init_common(event_data, field_data, false);
474 * ima_eventsig_init - include the file signature as part of the template data
476 int ima_eventsig_init(struct ima_event_data *event_data,
477 struct ima_field_data *field_data)
479 struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
481 if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
482 return ima_eventevmsig_init(event_data, field_data);
484 return ima_write_template_field_data(xattr_value, event_data->xattr_len,
485 DATA_FMT_HEX, field_data);
489 * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the
492 int ima_eventbuf_init(struct ima_event_data *event_data,
493 struct ima_field_data *field_data)
495 if ((!event_data->buf) || (event_data->buf_len == 0))
498 return ima_write_template_field_data(event_data->buf,
499 event_data->buf_len, DATA_FMT_HEX,
504 * ima_eventmodsig_init - include the appended file signature as part of the
507 int ima_eventmodsig_init(struct ima_event_data *event_data,
508 struct ima_field_data *field_data)
514 if (!event_data->modsig)
518 * modsig is a runtime structure containing pointers. Get its raw data
521 rc = ima_get_raw_modsig(event_data->modsig, &data, &data_len);
525 return ima_write_template_field_data(data, data_len, DATA_FMT_HEX,
530 * ima_eventevmsig_init - include the EVM portable signature as part of the
533 int ima_eventevmsig_init(struct ima_event_data *event_data,
534 struct ima_field_data *field_data)
536 struct evm_ima_xattr_data *xattr_data = NULL;
539 if (!event_data->file)
542 rc = vfs_getxattr_alloc(&init_user_ns, file_dentry(event_data->file),
543 XATTR_NAME_EVM, (char **)&xattr_data, 0,
548 if (xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) {
553 rc = ima_write_template_field_data((char *)xattr_data, rc, DATA_FMT_HEX,
559 static int ima_eventinodedac_init_common(struct ima_event_data *event_data,
560 struct ima_field_data *field_data,
565 if (!event_data->file)
569 id = i_uid_read(file_inode(event_data->file));
571 id = i_gid_read(file_inode(event_data->file));
573 if (ima_canonical_fmt) {
574 if (sizeof(id) == sizeof(u16))
575 id = (__force u16)cpu_to_le16(id);
577 id = (__force u32)cpu_to_le32(id);
580 return ima_write_template_field_data((void *)&id, sizeof(id),
581 DATA_FMT_UINT, field_data);
585 * ima_eventinodeuid_init - include the inode UID as part of the template
588 int ima_eventinodeuid_init(struct ima_event_data *event_data,
589 struct ima_field_data *field_data)
591 return ima_eventinodedac_init_common(event_data, field_data, true);
595 * ima_eventinodegid_init - include the inode GID as part of the template
598 int ima_eventinodegid_init(struct ima_event_data *event_data,
599 struct ima_field_data *field_data)
601 return ima_eventinodedac_init_common(event_data, field_data, false);
605 * ima_eventinodemode_init - include the inode mode as part of the template
608 int ima_eventinodemode_init(struct ima_event_data *event_data,
609 struct ima_field_data *field_data)
614 if (!event_data->file)
617 inode = file_inode(event_data->file);
618 mode = inode->i_mode;
619 if (ima_canonical_fmt)
620 mode = (__force u16)cpu_to_le16(mode);
622 return ima_write_template_field_data((char *)&mode, sizeof(mode),
623 DATA_FMT_UINT, field_data);
626 static int ima_eventinodexattrs_init_common(struct ima_event_data *event_data,
627 struct ima_field_data *field_data,
633 if (!event_data->file)
636 rc = evm_read_protected_xattrs(file_dentry(event_data->file), NULL, 0,
637 type, ima_canonical_fmt);
641 buffer = kmalloc(rc, GFP_KERNEL);
645 rc = evm_read_protected_xattrs(file_dentry(event_data->file), buffer,
646 rc, type, ima_canonical_fmt);
652 rc = ima_write_template_field_data((char *)buffer, rc, DATA_FMT_HEX,
660 * ima_eventinodexattrnames_init - include a list of xattr names as part of the
663 int ima_eventinodexattrnames_init(struct ima_event_data *event_data,
664 struct ima_field_data *field_data)
666 return ima_eventinodexattrs_init_common(event_data, field_data, 'n');
670 * ima_eventinodexattrlengths_init - include a list of xattr lengths as part of
673 int ima_eventinodexattrlengths_init(struct ima_event_data *event_data,
674 struct ima_field_data *field_data)
676 return ima_eventinodexattrs_init_common(event_data, field_data, 'l');
680 * ima_eventinodexattrvalues_init - include a list of xattr values as part of
683 int ima_eventinodexattrvalues_init(struct ima_event_data *event_data,
684 struct ima_field_data *field_data)
686 return ima_eventinodexattrs_init_common(event_data, field_data, 'v');
projects / linux-2.6-microblaze.git / blob